Hello, I have created the following search to show fieldsummary
on 4 fields: devicename
, ip
, platform
, and market
as below.
I want to filter the fieldsummary
results further by market
which shows devicename
, ip
, platform
with individual market
combinations, and show null
counts and percentages computed in search.
Can the search be modified to further group the devicename
, ip
, platform
by market
for null
values?
environment=test sourcetype=API1 | fields + devicename,Ip,platform,market | fieldsummary maxvals=10 | where (values like "%null%" OR isnull(values) OR values like "%NULL%") | fields - is_exact, max , mean, min, numeric_count, stdev, distinct_count | rex field=values "null\",\"count\":(?\d+)"| eval Percentage_null=if(isnull((null_count/count)*100),0,round((null_count/count*100),2)) | fieldformat count=tostring(count,"commas") | fieldformat null_count=tostring(null_count,"commas")| sort Percentage_null,values desc
Current results:
field Percentage_null count null_count values
devicename 1.60 4,388 130 [{"value":"null","count":701},cf28ng==","count":24}]
IP 1.33 4,388 212 [{"value":"null","count":512},{"value":"44.55.5.55":206}]
platform 0.45 4,388 852 [{"value":"null","count":273},{"value":"Android":4000}]
market 0.14 4,388 100 [{"value":"null","count":2000},{"value":"CA","count":2000},{"value":"JP","count":6}